As Chrome’s tenth birthday is celebrated, Google has released a new edition of the world’s most popular desktop browser. Chrome 69 has been rolled out with a strong password generator, rounder tabs, new icons, and other user interface changes.

It’s certainly been a successful ten years for the Chrome browser. In the late-1990s and early 2000s, most of us were using Netscape and then Internet Explorer on our desktop PCs. Today, it’s overwhelmingly Chrome.

But whatever browser you choose to run, chances are that it’s not just the browser. You’re also very likely to be running third-party extensions and plugins to boost the browser’s abilities, tweak its behaviour, and enhance your online security.

What many people don’t realise is that these extensions can themselves present a security risk, and - when you look into it - it’s pretty terrifying just how much a browser extension can do.

An ad blocker, for instance, can read and change all your data on the websites that you visit. It *has* to be able to have that ability to let it block website ads. When you install a browser extension, you’re placing a lot of trust in it never turning evil.

One popular service which has its own Chrome browser extension is Mega.nz - the cloud-based file-sharing service founded by the shadowy larger-than-life figure of Kim Dotcom (he severed all ties with Mega three years ago.)

This week, as ZDNetreports, the official Chrome browser extension for Mega.nz was compromised with a malicious update.

User of the extension received an automatic update which requested more permissions, including the ability to “read and change all your data on the websites that you visit.” In all likelihood many users simply clicked through the warning.

That, of course, was a big mistake.

The malicious edition of the Mega.nz extension started stealing login usernames, passwords, and cryptocurrency private keys from Chrome users - stealing information from surfers as they used sites such as Amazon, Google, Microsoft, GitHub, MyEtherWallet, MyMonero, and the cryptocurrency trading platform IDEX.

And to where was the sensitive data being siphoned? A Ukrainian server.

The suspicion has to be that Mega.nz’s account in the Chrome web store was somehow hacked. Was phishing to blame? A weak password? A reused password? A hack at Mega.nz? We just don’t know, and for now no-one’s saying.

The malicious version of the Mega.nz extension was available for Chrome users for some hours, and users who were updated during that time may have had credentials and private keys stolen from them. Mega.nz says it has now been removed, and is at pains to point out that the Firefox version of the extension is not affected.

Mega.nz, it seems, is placing some of the blame at Google itself - claiming that the security measures in place for extensions in the Chrome web store are weaker than those for, say, Firefox:

We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.

If you run the Mega.nz Chrome extension, change the passwords for all online accounts you may have logged into while the trojanized version was active. Make sure the new passwords are unique, and hard to crack.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

3 Responses

There needs to be some sort of repository for extensions and permissions or alerts in when ownership of an add-on changes for the exact reasons you mention. Or some kind of “certification” for open-source code verifying that the code is not doing anything malicious

It has always concerned me about what if Adblock, Adblock Plus and uBlock Origin were compromised. That would be a lot of browsers affected.

It’s possible to avoid using browser extensions, but getting rid of the last one—the adblocker—is a problem because browsing without one is also an issue. Hosts files are too clunky. It was better when adblockers was build directly into the browser rather than extensions (such as ‘Tracking Protection Lists’ in Internet Explorer 9 onwards), and the user then just subscribed to the lists they wished to use (such as EasyList, etc.) or used their own lists.